Security Analysis of Network Protocols

Security Analysis of Network Protocols

Anupam DattaStanford University

UW-Madison CSDApril 18, 2005

OutlinePart I: Overview

• Motivation• Central problems

– Divide and Conquer paradigm– Combining logic and cryptography

• ResultsPart II: Glimpses of technical machinery

• Divide and Conquer Paradigm– Protocol Derivation System– Protocol Composition Logic

• Combining logic and cryptography– Complexity-theoretic foundations

This talk is about… Industrial network protocols

• Internet Engineering Task Force (IETF) Standards

– SSL/TLS - web authentication– IPSec - corporate VPNs– Mobile IPv6 – routing security– Kerberos - network authentication– GDOI – secure group communication

• IEEE Standards Working Group– 802.11i - wireless security

And methods for their security analysis• Security proof in some model; or• Identify attacks

Motivating Example

{ A, Noncea }

{ Noncea, Nonceb }

{ Nonceb}

Ka

Kb

Result: A and B share two private numbers not known to any observer without Ka-1, Kb

-1

A BKb

[Needham-Schroeder78]

Anomaly in Needham-Schroeder

A E

B

{ A, Na }

{ A, Na }{ Na, Nb }

{ Na, Nb }{ Nb }

Ke

KbKa

Ka

Ke

Evil agent E trickshonest A into revealingprivate key Nb from B.Evil E can then fool B.

[Lowe96]

Characteristics of protocols Relatively simple distributed programs

• 5-7 steps, 3-10 fields per message (per component)

Mission critical• Security of data, credit card numbers, …

Subtle• Concurrency: attack may combine data from many

sessions• Computation: modeling cryptographic primitives

Good domain for logical methodsActive research area since early 80’s

Security Analysis Methodology

Analysis Tool

Protocol Property

Security proof or attack

Attacker model

Our tool: Protocol

Composition Logic (PCL)

SSLauthenticatio

n

-Complete control

over network-Perfect crypto

42 line axiomatic

proof

Classifying Attacks Implementation bugs

• Buffer overflow, format string vulnerabilities

Cryptography breaks• IEEE 802.11b (WEP encryption), GSM

cell phone Protocol flaws

• Needham-Schroeder, IKE, IEEE 802.11i•Focus on protocol flaws assuming “strong crypto”•Complexity-theoretic characterization of “strong crypto”

IEEE 802.11i wireless security [2004]

Wireless Device

Access Point

Authentication Server

802.11 Association

EAP/802.1X/RADIUS Authentication

4-way handshake

Group key handshake

Data communication

•Divide-and-conquer paradigm•Combining logic and cryptography

Uses crypto: encryption, hash,

…

Divide-and-Conquer paradigm

Result: Protocol Derivation System • Incremental protocol construction

Result: Protocol Composition Logic (PCL)• Compositional correctness proofs

Related work: [Heintze-Tygar96], [Lynch99], [Sheyner-Wing00], [Canetti01], …

Composition is a hard problem in security

Central Problem 1

Combining logic and cryptography Symbolic model [DY84]

- Perfect cryptography assumption+ Idealization => tools and techniques

Complexity-theoretic model [GM84]+ More detailed model; probabilistic guarantees- Hand-proofs very hard; no automation

Result: Computational PCL + Logical proof methods + Complexity-theoretic crypto model

Related work: [Mitchell-Scedrov et al 98-04], [Abadi-Rogaway00], [Backes-Pfitzmann-Waidner03-04], [Micciancio-Warinschi04]

Central Problem 2

Applied to industrial protocols IEEE 802.11i authentication protocol [IEEE

Standards; 2004] (Attack! Fix adopted by IEEE WG)

IKEv2 [IETF Internet Draft; 2004] TLS/SSL [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Attack! Fix adopted by IETF WG)

Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-

3, NSL,…

IPSec

Widely deployed: Corporate VPNs Provides secrecy and integrity IKEv2 is the IPSec key exchange protocol

Internet

IP layer host-to-host security

IKEv2 [IETF ID 2004]

IKE_AUTH (Authenticate)

IKE_CHILD_SA (Rekey)

I R: HDR, SAi1, gi, Ni R I: HDR, SAr1, gr, Nr

IKE_INIT (Exchange key material)

I R: HDR, SK {IDi, [CERT,] [CERTREQ,] [IDr,] AUTH, SAi2, TSi, TSr}

R I: HDR, SK {IDr, [CERT,] AUTH, SAr2, TSi, TSr}

•Modular proofs•Multi-mode (Unified “template” proof)• Properties: authentication, shared secret, identity & DoS protection, repudiability

Multi-mode protocol: authenticator can

use either signature or pre-shared key

Mobile IPv6 [IETF ID 2004]

Stanford

Wisconsin

Home address

Home addres

s

Care of address

Correspondent Node

•Change of location•Authentication•DoS issues•Protocol breaks if attacker controls complete network

GDOI [RFC 3547, 2003]

•Secure group communication•Composition attack•Fix adopted by IETF WG

Communicating in a group can be difficult…

Public networkGroup

controller

Protocol analysis spectrum

Low High

Hig

hLo

wSt

reng

th o

f atta

cker

mod

el

Protocol complexity

Mur

FDR

NRLAthena

Hand proofs

Paulson

BAN logic

Spi-calculus

Poly-time calculus

Model checking

Protocol logic

Computational Protocol logic

Multiset rewriting

Holy Grail

Combining logic and

cryptography

Divide and

conquer

OutlinePart I: OverviewPart II: Glimpses of technical

machinery• Divide and conquer paradigm

– Protocol Derivation System– Protocol Composition Logic


Protocol Derivation System Construct protocol with properties:

• Shared secret • Authenticated• Identity Protection• DoS Protection

Design requirements for IKE, JFK, IKEv2 (IPSec key exchange protocol)

Component 1

• Shared secret (with someone)– A deduces:

Knows(Y, gab) (Y = A) ۷ Knows(Y,b)

• Authenticated• Identity Protection• DoS Protection

A B: ga

B A: gb

Diffie Hellman

Component 2

• Shared secret• Authenticated

– A deduces: Received (B, msg1) Λ Sent (B, msg2)

• Identity Protection• DoS Protection

A B: m, AB A: n, sigB {m, n, A}A B: sigA {m, n, B}

Challenge-Response

Composition

• Shared secret: gab


m := ga

n := gb

A B: ga, AB A: gb, sigB {ga, gb, A}A B: sigA {ga, gb, B}

ISO-9798-3

Technically: sequential composition with variable substitution

Refinement


• Authenticated• Identity Protection • DoS Protection

A B: ga, AB A: gb, EK {sigB {ga, gb, A}}A B: EK {sigA {ga, gb, B}}

Encrypt Signatures

Technically: term replacement/function variable substitution

Transformation



A B: ga, AB A: gb, hashKB {gb, ga}A B: ga, gb, EK {sigA {ga, gb, B}}, hashKB {gb, ga} B A: gb, EK {sigB {ga, gb, A}}

Use cookie: JFK core protocol

Technically: program transformation

Tool Support (PDA)





A B

Alice reasons: if Bob is honest, then:• only Bob can generate his signature. [protocol independent]• if Bob generates a signature of the form sigB {m, n, A},

– he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice. [protocol specific]

Alice deduces: Received (B, msg1) Λ Sent (B, msg2)

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response: Proof Idea

Reasoning method Reason about local information

• I know my own actions Incorporate knowledge of protocol

• Honest people faithfully follow protocol No explicit reasoning about intruder

• Absence of bad action expressed as a positive property of good actions– E.g., honest agent’s signature can be

produced only by the agent

Distinguishes our method from existing techniques

Formalism Cord calculus

• Protocol programming language• Execution model (Symbolic/“Dolev-Yao”)

Protocol logic• Expressing protocol properties

Proof system• Proving protocol properties• Soundness theorem

A B

m, A

n, sigB {m, n, A}

sigA {m, n, B}

Challenge-Response as Cords

InitCR(A, X) = [new m;send A, X, m, A;receive X, A, x, sigX{m, x, A};send A, X, sigA{m, x, X};

]

RespCR(B) = [receive Y, B, y, Y;new n;send B, Y, n, sigB{y, n, Y};receive Y, B, sigY{y, n, B};

]

Challenge Response: Property Modal form: [ actions ]P

• precondition: Fresh(A,m)• actions: [ Initiator role actions ]A • postcondition: Honest(B) ActionsInOrder(

send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sigB {m, n, A}}}), receive(A, {B,A,{n, sigB {m, n, A}}}) )

Proof System Sample Axioms:

• Reasoning about possession:– [receive m ]A Has(A,m)– Has(A, {m,n}) Has(A, m) Has(A, n)

• Reasoning about crypto primitives:– Honest(X) Decrypt(Y, encX{m}) X=Y– Honest(X) Verify(Y, sigX{m})

m’ (Send(X, m’) Contains(m’, sigX{m}) Soundness Theorem:

Every provable formula is valid

Reasoning about Composition Non-destructive Combination:

Ensure combined parts do not interfere– In logic: invariance assertions

Additive Combination: Accumulate security properties of

combined parts, assuming they do not interfere– In logic: before-after assertions

Proof steps (Intuition) Protocol independent reasoning

• Has(A, {m,n}) Has(A, m) Has(A, n)• Still good: unaffected by composition

Protocol specific reasoning• “if honest Bob generates a signature of the form

sigB {m, n, A}, – he sends it as part of msg 2 of the protocol and – he must have received msg1 from Alice”

• Could break: Bob’s signature from one protocol could be used to attack another

Technically:•Protocol-specific proof steps use invariants•Invariants must be preserved for safe composition

Composing protocols

DH Honest(X) …

(Invariant) ’

|- Secrecy ’ |- Authentication

’ |- Secrecy ’ |- Authentication

’ |- Secrecy Authentication [additive]DH CR ’ [nondestructive] ISO Secrecy Authentication

=CR Honest(X) …

Sequential and parallel composition theorems

Composition Rules Invariant weakening rule

|- […]P

’ |- […]P

Sequential Composition |- [ S ] P |- [ T ] P

|- [ ST ] P Prove invariants from protocol

Q Q’ Q Q’

Also have proof method for class of refinements & transformations

Applications IEEE 802.11i authentication protocol [IEEE

Standards; 2004] (Attack! Fix adopted by IEEE WG)

IKEv2 [IETF Internet Draft; 2004] TLS [RFC 2246; 1999] Kerberos V5 [IETF Internet Draft; 2004] GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)

Many More:• STS, JFKi, JFKr, SKID3, ISO-9798-2, ISO-9798-

3, NSL,…

Tool Support

Isabelle Proof Assistant for PCL• Encode syntax and proof system of PCL

into a generic theorem-proverconsts PSend :: "[thread,CTerm] => o"syntax PSend :: "[threadI,CTermlist] => actformI" ("Send'(_,_')")axioms AA1S: "{P, X[send t], Send(X,t)}" REC : "Receive(X,t) --> Has(X,t)"Rule: SEQ: "[|{P, X[S1], Q} ; {Q, X[S2], R}|] ==> {P, X[S1 ; S2], R}"

Sample proof (forward reasoning)

lemma "{P,X[new t; send t],Has(X,t) & Send(X,t)}"; proof -; have A: "{P,X[new t; send t],Has(X,t)}"; apply (rule G3); apply (rule SEQ); apply (rule AA1N); apply (rule P1N); apply (blast); apply (rule ORIG); done;

Use PCL axioms and rules to carry out proofs Use Isabelle’s first-order reasoner





Symbolic model[NS78,DY84]

Complexity-theoretic model [GM84]

Attacker actions -Fixed set of actions, e.g., decryption with known key(ABSTRACTION)

+ Any probabilistic poly-time computation

Security properties -Idealized, e.g., secret message = not possessing atomic term representing message(ABSTRACTION)

+ Fine-grained, e.g., secret message = no partial information about bitstring representation

Analysis methods + Successful array of tools and techniques; automation

- Hand-proofs are difficult, error-prone; no automation

Can we get the best of both worlds?

Two worlds

Our ApproachProtocol Composition Logic (PCL)•Syntax•Proof System

Symbolic “Dolev-Yao” model•Semantics

Computational PCL•Syntax ± •Proof System ±

Complexity-theoretic model•Semantics

Talk so far… Leverage PCL success

Idea: Use same logical proof methods for complexity-theoretic cryptography

Our result Computational PCL: A symbolic logic for

proving security properties of network protocols that use public-key encryption

Soundness Theorem: If a property is provable within the proof system of CPCL, it holds in the complexity-theoretic model with probability asymptotically close to 1.+ Symbolic proofs+ Complexity-theoretic model

Logical methods for complexity-theoretic cryptography

Soundness of proof system Information-theoretic reasoning

[new u]X (Y X) Indistinguishable(Y, u) Complexity-theoretic reductions Source(Y,u,{m}X) Decrypts(X, {m}X)

Honest(X,Y) (Z X,Y) Indistinguishable(Z, u)

Asymptotic calculations

Sum of two negligible functions is a negligible function

Reduction to CCA2-secure encryption scheme

Summary Methodology:

• Divide-and-conquer paradigm in security• Combining logic and cryptography

Applications:• IEEE 802.11i (Attack! Fix adopted by IEEE

WG)• GDOI Secure Group Communication protocol

[RFC 3547; 2003] (Composition Attack! Fix adopted by IETF WG)

• IKEv2 [IETF Internet Draft; 2004]• TLS [RFC 2246; 1999]• Kerberos V5 [IETF Internet Draft; 2004]

Research Directions Bring automated tools and techniques

to industrial protocol design Formal methods and cryptography Composition of secure systems Apply similar techniques to other

kinds of security mechanisms• Web services

Software analysis of secure systems • Model-checking C code

Security Analysis of Network Protocols

Documents

paradigmcombining logic

ietf wgmany

b share

hard problem

b wep encryption

revealingprivate key

wireless securityand

securitycentral problem